2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth L2CAP core and sockets. */
27 #include <linux/module.h>
29 #include <linux/types.h>
30 #include <linux/capability.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/uaccess.h>
44 #include <linux/crc16.h>
47 #include <asm/system.h>
48 #include <asm/unaligned.h>
50 #include <net/bluetooth/bluetooth.h>
51 #include <net/bluetooth/hci_core.h>
52 #include <net/bluetooth/l2cap.h>
54 #define VERSION "2.14"
56 static int enable_ertm = 0;
58 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
59 static u8 l2cap_fixed_chan[8] = { 0x02, };
61 static const struct proto_ops l2cap_sock_ops;
63 static struct bt_sock_list l2cap_sk_list = {
64 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
67 static void __l2cap_sock_close(struct sock *sk, int reason);
68 static void l2cap_sock_close(struct sock *sk);
69 static void l2cap_sock_kill(struct sock *sk);
71 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
74 /* ---- L2CAP timers ---- */
75 static void l2cap_sock_timeout(unsigned long arg)
77 struct sock *sk = (struct sock *) arg;
80 BT_DBG("sock %p state %d", sk, sk->sk_state);
84 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
85 reason = ECONNREFUSED;
86 else if (sk->sk_state == BT_CONNECT &&
87 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
88 reason = ECONNREFUSED;
92 __l2cap_sock_close(sk, reason);
100 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
102 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
103 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
106 static void l2cap_sock_clear_timer(struct sock *sk)
108 BT_DBG("sock %p state %d", sk, sk->sk_state);
109 sk_stop_timer(sk, &sk->sk_timer);
112 /* ---- L2CAP channels ---- */
113 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
116 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
117 if (l2cap_pi(s)->dcid == cid)
123 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
126 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
127 if (l2cap_pi(s)->scid == cid)
133 /* Find channel with given SCID.
134 * Returns locked socket */
135 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
139 s = __l2cap_get_chan_by_scid(l, cid);
142 read_unlock(&l->lock);
146 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
149 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
150 if (l2cap_pi(s)->ident == ident)
156 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
160 s = __l2cap_get_chan_by_ident(l, ident);
163 read_unlock(&l->lock);
167 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
169 u16 cid = L2CAP_CID_DYN_START;
171 for (; cid < L2CAP_CID_DYN_END; cid++) {
172 if (!__l2cap_get_chan_by_scid(l, cid))
179 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
184 l2cap_pi(l->head)->prev_c = sk;
186 l2cap_pi(sk)->next_c = l->head;
187 l2cap_pi(sk)->prev_c = NULL;
191 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
193 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
195 write_lock_bh(&l->lock);
200 l2cap_pi(next)->prev_c = prev;
202 l2cap_pi(prev)->next_c = next;
203 write_unlock_bh(&l->lock);
208 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
210 struct l2cap_chan_list *l = &conn->chan_list;
212 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
213 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
215 conn->disc_reason = 0x13;
217 l2cap_pi(sk)->conn = conn;
219 if (sk->sk_type == SOCK_SEQPACKET) {
220 /* Alloc CID for connection-oriented socket */
221 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
222 } else if (sk->sk_type == SOCK_DGRAM) {
223 /* Connectionless socket */
224 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
225 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
226 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
228 /* Raw socket can send/recv signalling messages only */
229 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
230 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
231 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
234 __l2cap_chan_link(l, sk);
237 bt_accept_enqueue(parent, sk);
241 * Must be called on the locked socket. */
242 static void l2cap_chan_del(struct sock *sk, int err)
244 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
245 struct sock *parent = bt_sk(sk)->parent;
247 l2cap_sock_clear_timer(sk);
249 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
252 /* Unlink from channel list */
253 l2cap_chan_unlink(&conn->chan_list, sk);
254 l2cap_pi(sk)->conn = NULL;
255 hci_conn_put(conn->hcon);
258 sk->sk_state = BT_CLOSED;
259 sock_set_flag(sk, SOCK_ZAPPED);
265 bt_accept_unlink(sk);
266 parent->sk_data_ready(parent, 0);
268 sk->sk_state_change(sk);
271 /* Service level security */
272 static inline int l2cap_check_security(struct sock *sk)
274 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
277 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
278 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
279 auth_type = HCI_AT_NO_BONDING_MITM;
281 auth_type = HCI_AT_NO_BONDING;
283 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
284 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
286 switch (l2cap_pi(sk)->sec_level) {
287 case BT_SECURITY_HIGH:
288 auth_type = HCI_AT_GENERAL_BONDING_MITM;
290 case BT_SECURITY_MEDIUM:
291 auth_type = HCI_AT_GENERAL_BONDING;
294 auth_type = HCI_AT_NO_BONDING;
299 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
303 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
307 /* Get next available identificator.
308 * 1 - 128 are used by kernel.
309 * 129 - 199 are reserved.
310 * 200 - 254 are used by utilities like l2ping, etc.
313 spin_lock_bh(&conn->lock);
315 if (++conn->tx_ident > 128)
320 spin_unlock_bh(&conn->lock);
325 static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
327 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
329 BT_DBG("code 0x%2.2x", code);
334 return hci_send_acl(conn->hcon, skb, 0);
337 static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
340 struct l2cap_hdr *lh;
341 struct l2cap_conn *conn = pi->conn;
342 int count, hlen = L2CAP_HDR_SIZE + 2;
344 if (pi->fcs == L2CAP_FCS_CRC16)
347 BT_DBG("pi %p, control 0x%2.2x", pi, control);
349 count = min_t(unsigned int, conn->mtu, hlen);
350 control |= L2CAP_CTRL_FRAME_TYPE;
352 skb = bt_skb_alloc(count, GFP_ATOMIC);
356 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
357 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
358 lh->cid = cpu_to_le16(pi->dcid);
359 put_unaligned_le16(control, skb_put(skb, 2));
361 if (pi->fcs == L2CAP_FCS_CRC16) {
362 u16 fcs = crc16(0, (u8 *)lh, count - 2);
363 put_unaligned_le16(fcs, skb_put(skb, 2));
366 return hci_send_acl(pi->conn->hcon, skb, 0);
369 static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
371 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
372 control |= L2CAP_SUPER_RCV_NOT_READY;
374 control |= L2CAP_SUPER_RCV_READY;
376 return l2cap_send_sframe(pi, control);
379 static void l2cap_do_start(struct sock *sk)
381 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
383 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
384 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
387 if (l2cap_check_security(sk)) {
388 struct l2cap_conn_req req;
389 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
390 req.psm = l2cap_pi(sk)->psm;
392 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
394 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
395 L2CAP_CONN_REQ, sizeof(req), &req);
398 struct l2cap_info_req req;
399 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
402 conn->info_ident = l2cap_get_ident(conn);
404 mod_timer(&conn->info_timer, jiffies +
405 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
407 l2cap_send_cmd(conn, conn->info_ident,
408 L2CAP_INFO_REQ, sizeof(req), &req);
412 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
414 struct l2cap_disconn_req req;
416 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
417 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
418 l2cap_send_cmd(conn, l2cap_get_ident(conn),
419 L2CAP_DISCONN_REQ, sizeof(req), &req);
422 /* ---- L2CAP connections ---- */
423 static void l2cap_conn_start(struct l2cap_conn *conn)
425 struct l2cap_chan_list *l = &conn->chan_list;
428 BT_DBG("conn %p", conn);
432 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
435 if (sk->sk_type != SOCK_SEQPACKET) {
440 if (sk->sk_state == BT_CONNECT) {
441 if (l2cap_check_security(sk)) {
442 struct l2cap_conn_req req;
443 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
444 req.psm = l2cap_pi(sk)->psm;
446 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
448 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
449 L2CAP_CONN_REQ, sizeof(req), &req);
451 } else if (sk->sk_state == BT_CONNECT2) {
452 struct l2cap_conn_rsp rsp;
453 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
454 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
456 if (l2cap_check_security(sk)) {
457 if (bt_sk(sk)->defer_setup) {
458 struct sock *parent = bt_sk(sk)->parent;
459 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
460 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
461 parent->sk_data_ready(parent, 0);
464 sk->sk_state = BT_CONFIG;
465 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
466 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
469 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
470 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
473 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
474 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
480 read_unlock(&l->lock);
483 static void l2cap_conn_ready(struct l2cap_conn *conn)
485 struct l2cap_chan_list *l = &conn->chan_list;
488 BT_DBG("conn %p", conn);
492 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
495 if (sk->sk_type != SOCK_SEQPACKET) {
496 l2cap_sock_clear_timer(sk);
497 sk->sk_state = BT_CONNECTED;
498 sk->sk_state_change(sk);
499 } else if (sk->sk_state == BT_CONNECT)
505 read_unlock(&l->lock);
508 /* Notify sockets that we cannot guaranty reliability anymore */
509 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
511 struct l2cap_chan_list *l = &conn->chan_list;
514 BT_DBG("conn %p", conn);
518 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
519 if (l2cap_pi(sk)->force_reliable)
523 read_unlock(&l->lock);
526 static void l2cap_info_timeout(unsigned long arg)
528 struct l2cap_conn *conn = (void *) arg;
530 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
531 conn->info_ident = 0;
533 l2cap_conn_start(conn);
536 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
538 struct l2cap_conn *conn = hcon->l2cap_data;
543 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
547 hcon->l2cap_data = conn;
550 BT_DBG("hcon %p conn %p", hcon, conn);
552 conn->mtu = hcon->hdev->acl_mtu;
553 conn->src = &hcon->hdev->bdaddr;
554 conn->dst = &hcon->dst;
558 spin_lock_init(&conn->lock);
559 rwlock_init(&conn->chan_list.lock);
561 setup_timer(&conn->info_timer, l2cap_info_timeout,
562 (unsigned long) conn);
564 conn->disc_reason = 0x13;
569 static void l2cap_conn_del(struct hci_conn *hcon, int err)
571 struct l2cap_conn *conn = hcon->l2cap_data;
577 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
579 kfree_skb(conn->rx_skb);
582 while ((sk = conn->chan_list.head)) {
584 l2cap_chan_del(sk, err);
589 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
590 del_timer_sync(&conn->info_timer);
592 hcon->l2cap_data = NULL;
596 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
598 struct l2cap_chan_list *l = &conn->chan_list;
599 write_lock_bh(&l->lock);
600 __l2cap_chan_add(conn, sk, parent);
601 write_unlock_bh(&l->lock);
604 /* ---- Socket interface ---- */
605 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
608 struct hlist_node *node;
609 sk_for_each(sk, node, &l2cap_sk_list.head)
610 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
617 /* Find socket with psm and source bdaddr.
618 * Returns closest match.
620 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
622 struct sock *sk = NULL, *sk1 = NULL;
623 struct hlist_node *node;
625 sk_for_each(sk, node, &l2cap_sk_list.head) {
626 if (state && sk->sk_state != state)
629 if (l2cap_pi(sk)->psm == psm) {
631 if (!bacmp(&bt_sk(sk)->src, src))
635 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
639 return node ? sk : sk1;
642 /* Find socket with given address (psm, src).
643 * Returns locked socket */
644 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
647 read_lock(&l2cap_sk_list.lock);
648 s = __l2cap_get_sock_by_psm(state, psm, src);
651 read_unlock(&l2cap_sk_list.lock);
655 static void l2cap_sock_destruct(struct sock *sk)
659 skb_queue_purge(&sk->sk_receive_queue);
660 skb_queue_purge(&sk->sk_write_queue);
663 static void l2cap_sock_cleanup_listen(struct sock *parent)
667 BT_DBG("parent %p", parent);
669 /* Close not yet accepted channels */
670 while ((sk = bt_accept_dequeue(parent, NULL)))
671 l2cap_sock_close(sk);
673 parent->sk_state = BT_CLOSED;
674 sock_set_flag(parent, SOCK_ZAPPED);
677 /* Kill socket (only if zapped and orphan)
678 * Must be called on unlocked socket.
680 static void l2cap_sock_kill(struct sock *sk)
682 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
685 BT_DBG("sk %p state %d", sk, sk->sk_state);
687 /* Kill poor orphan */
688 bt_sock_unlink(&l2cap_sk_list, sk);
689 sock_set_flag(sk, SOCK_DEAD);
693 static void __l2cap_sock_close(struct sock *sk, int reason)
695 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
697 switch (sk->sk_state) {
699 l2cap_sock_cleanup_listen(sk);
704 if (sk->sk_type == SOCK_SEQPACKET) {
705 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
707 sk->sk_state = BT_DISCONN;
708 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
709 l2cap_send_disconn_req(conn, sk);
711 l2cap_chan_del(sk, reason);
715 if (sk->sk_type == SOCK_SEQPACKET) {
716 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
717 struct l2cap_conn_rsp rsp;
720 if (bt_sk(sk)->defer_setup)
721 result = L2CAP_CR_SEC_BLOCK;
723 result = L2CAP_CR_BAD_PSM;
725 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
726 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
727 rsp.result = cpu_to_le16(result);
728 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
729 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
730 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
732 l2cap_chan_del(sk, reason);
737 l2cap_chan_del(sk, reason);
741 sock_set_flag(sk, SOCK_ZAPPED);
746 /* Must be called on unlocked socket. */
747 static void l2cap_sock_close(struct sock *sk)
749 l2cap_sock_clear_timer(sk);
751 __l2cap_sock_close(sk, ECONNRESET);
756 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
758 struct l2cap_pinfo *pi = l2cap_pi(sk);
763 sk->sk_type = parent->sk_type;
764 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
766 pi->imtu = l2cap_pi(parent)->imtu;
767 pi->omtu = l2cap_pi(parent)->omtu;
768 pi->mode = l2cap_pi(parent)->mode;
769 pi->fcs = l2cap_pi(parent)->fcs;
770 pi->sec_level = l2cap_pi(parent)->sec_level;
771 pi->role_switch = l2cap_pi(parent)->role_switch;
772 pi->force_reliable = l2cap_pi(parent)->force_reliable;
774 pi->imtu = L2CAP_DEFAULT_MTU;
776 pi->mode = L2CAP_MODE_BASIC;
777 pi->fcs = L2CAP_FCS_CRC16;
778 pi->sec_level = BT_SECURITY_LOW;
780 pi->force_reliable = 0;
783 /* Default config options */
785 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
786 skb_queue_head_init(TX_QUEUE(sk));
787 skb_queue_head_init(SREJ_QUEUE(sk));
788 INIT_LIST_HEAD(SREJ_LIST(sk));
791 static struct proto l2cap_proto = {
793 .owner = THIS_MODULE,
794 .obj_size = sizeof(struct l2cap_pinfo)
797 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
801 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
805 sock_init_data(sock, sk);
806 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
808 sk->sk_destruct = l2cap_sock_destruct;
809 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
811 sock_reset_flag(sk, SOCK_ZAPPED);
813 sk->sk_protocol = proto;
814 sk->sk_state = BT_OPEN;
816 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
818 bt_sock_link(&l2cap_sk_list, sk);
822 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
827 BT_DBG("sock %p", sock);
829 sock->state = SS_UNCONNECTED;
831 if (sock->type != SOCK_SEQPACKET &&
832 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
833 return -ESOCKTNOSUPPORT;
835 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
838 sock->ops = &l2cap_sock_ops;
840 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
844 l2cap_sock_init(sk, NULL);
848 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
850 struct sock *sk = sock->sk;
851 struct sockaddr_l2 la;
856 if (!addr || addr->sa_family != AF_BLUETOOTH)
859 memset(&la, 0, sizeof(la));
860 len = min_t(unsigned int, sizeof(la), alen);
861 memcpy(&la, addr, len);
868 if (sk->sk_state != BT_OPEN) {
873 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
874 !capable(CAP_NET_BIND_SERVICE)) {
879 write_lock_bh(&l2cap_sk_list.lock);
881 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
884 /* Save source address */
885 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
886 l2cap_pi(sk)->psm = la.l2_psm;
887 l2cap_pi(sk)->sport = la.l2_psm;
888 sk->sk_state = BT_BOUND;
890 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
891 __le16_to_cpu(la.l2_psm) == 0x0003)
892 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
895 write_unlock_bh(&l2cap_sk_list.lock);
902 static int l2cap_do_connect(struct sock *sk)
904 bdaddr_t *src = &bt_sk(sk)->src;
905 bdaddr_t *dst = &bt_sk(sk)->dst;
906 struct l2cap_conn *conn;
907 struct hci_conn *hcon;
908 struct hci_dev *hdev;
912 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
915 hdev = hci_get_route(dst, src);
917 return -EHOSTUNREACH;
919 hci_dev_lock_bh(hdev);
923 if (sk->sk_type == SOCK_RAW) {
924 switch (l2cap_pi(sk)->sec_level) {
925 case BT_SECURITY_HIGH:
926 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
928 case BT_SECURITY_MEDIUM:
929 auth_type = HCI_AT_DEDICATED_BONDING;
932 auth_type = HCI_AT_NO_BONDING;
935 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
936 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
937 auth_type = HCI_AT_NO_BONDING_MITM;
939 auth_type = HCI_AT_NO_BONDING;
941 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
942 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
944 switch (l2cap_pi(sk)->sec_level) {
945 case BT_SECURITY_HIGH:
946 auth_type = HCI_AT_GENERAL_BONDING_MITM;
948 case BT_SECURITY_MEDIUM:
949 auth_type = HCI_AT_GENERAL_BONDING;
952 auth_type = HCI_AT_NO_BONDING;
957 hcon = hci_connect(hdev, ACL_LINK, dst,
958 l2cap_pi(sk)->sec_level, auth_type);
962 conn = l2cap_conn_add(hcon, 0);
970 /* Update source addr of the socket */
971 bacpy(src, conn->src);
973 l2cap_chan_add(conn, sk, NULL);
975 sk->sk_state = BT_CONNECT;
976 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
978 if (hcon->state == BT_CONNECTED) {
979 if (sk->sk_type != SOCK_SEQPACKET) {
980 l2cap_sock_clear_timer(sk);
981 sk->sk_state = BT_CONNECTED;
987 hci_dev_unlock_bh(hdev);
992 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
994 struct sock *sk = sock->sk;
995 struct sockaddr_l2 la;
1000 if (!addr || addr->sa_family != AF_BLUETOOTH)
1003 memset(&la, 0, sizeof(la));
1004 len = min_t(unsigned int, sizeof(la), alen);
1005 memcpy(&la, addr, len);
1012 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1017 switch (l2cap_pi(sk)->mode) {
1018 case L2CAP_MODE_BASIC:
1020 case L2CAP_MODE_ERTM:
1021 case L2CAP_MODE_STREAMING:
1030 switch (sk->sk_state) {
1034 /* Already connecting */
1038 /* Already connected */
1051 /* Set destination address and psm */
1052 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1053 l2cap_pi(sk)->psm = la.l2_psm;
1055 err = l2cap_do_connect(sk);
1060 err = bt_sock_wait_state(sk, BT_CONNECTED,
1061 sock_sndtimeo(sk, flags & O_NONBLOCK));
1067 static int l2cap_sock_listen(struct socket *sock, int backlog)
1069 struct sock *sk = sock->sk;
1072 BT_DBG("sk %p backlog %d", sk, backlog);
1076 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1081 switch (l2cap_pi(sk)->mode) {
1082 case L2CAP_MODE_BASIC:
1084 case L2CAP_MODE_ERTM:
1085 case L2CAP_MODE_STREAMING:
1094 if (!l2cap_pi(sk)->psm) {
1095 bdaddr_t *src = &bt_sk(sk)->src;
1100 write_lock_bh(&l2cap_sk_list.lock);
1102 for (psm = 0x1001; psm < 0x1100; psm += 2)
1103 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1104 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1105 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1110 write_unlock_bh(&l2cap_sk_list.lock);
1116 sk->sk_max_ack_backlog = backlog;
1117 sk->sk_ack_backlog = 0;
1118 sk->sk_state = BT_LISTEN;
1125 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1127 DECLARE_WAITQUEUE(wait, current);
1128 struct sock *sk = sock->sk, *nsk;
1132 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1134 if (sk->sk_state != BT_LISTEN) {
1139 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1141 BT_DBG("sk %p timeo %ld", sk, timeo);
1143 /* Wait for an incoming connection. (wake-one). */
1144 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1145 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1146 set_current_state(TASK_INTERRUPTIBLE);
1153 timeo = schedule_timeout(timeo);
1154 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1156 if (sk->sk_state != BT_LISTEN) {
1161 if (signal_pending(current)) {
1162 err = sock_intr_errno(timeo);
1166 set_current_state(TASK_RUNNING);
1167 remove_wait_queue(sk->sk_sleep, &wait);
1172 newsock->state = SS_CONNECTED;
1174 BT_DBG("new socket %p", nsk);
1181 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1183 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1184 struct sock *sk = sock->sk;
1186 BT_DBG("sock %p, sk %p", sock, sk);
1188 addr->sa_family = AF_BLUETOOTH;
1189 *len = sizeof(struct sockaddr_l2);
1192 la->l2_psm = l2cap_pi(sk)->psm;
1193 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1194 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1196 la->l2_psm = l2cap_pi(sk)->sport;
1197 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1198 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
1204 static void l2cap_monitor_timeout(unsigned long arg)
1206 struct sock *sk = (void *) arg;
1210 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1211 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
1215 l2cap_pi(sk)->retry_count++;
1216 __mod_monitor_timer();
1218 control = L2CAP_CTRL_POLL;
1219 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1223 static void l2cap_retrans_timeout(unsigned long arg)
1225 struct sock *sk = (void *) arg;
1229 l2cap_pi(sk)->retry_count = 1;
1230 __mod_monitor_timer();
1232 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1234 control = L2CAP_CTRL_POLL;
1235 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1239 static void l2cap_drop_acked_frames(struct sock *sk)
1241 struct sk_buff *skb;
1243 while ((skb = skb_peek(TX_QUEUE(sk)))) {
1244 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1247 skb = skb_dequeue(TX_QUEUE(sk));
1250 l2cap_pi(sk)->unacked_frames--;
1253 if (!l2cap_pi(sk)->unacked_frames)
1254 del_timer(&l2cap_pi(sk)->retrans_timer);
1259 static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1261 struct l2cap_pinfo *pi = l2cap_pi(sk);
1264 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1266 err = hci_send_acl(pi->conn->hcon, skb, 0);
1273 static int l2cap_streaming_send(struct sock *sk)
1275 struct sk_buff *skb, *tx_skb;
1276 struct l2cap_pinfo *pi = l2cap_pi(sk);
1280 while ((skb = sk->sk_send_head)) {
1281 tx_skb = skb_clone(skb, GFP_ATOMIC);
1283 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1284 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1285 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1287 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1288 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1289 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1292 err = l2cap_do_send(sk, tx_skb);
1294 l2cap_send_disconn_req(pi->conn, sk);
1298 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1300 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1301 sk->sk_send_head = NULL;
1303 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1305 skb = skb_dequeue(TX_QUEUE(sk));
1311 static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1313 struct l2cap_pinfo *pi = l2cap_pi(sk);
1314 struct sk_buff *skb, *tx_skb;
1318 skb = skb_peek(TX_QUEUE(sk));
1320 if (bt_cb(skb)->tx_seq != tx_seq) {
1321 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1323 skb = skb_queue_next(TX_QUEUE(sk), skb);
1327 if (pi->remote_max_tx &&
1328 bt_cb(skb)->retries == pi->remote_max_tx) {
1329 l2cap_send_disconn_req(pi->conn, sk);
1333 tx_skb = skb_clone(skb, GFP_ATOMIC);
1334 bt_cb(skb)->retries++;
1335 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1336 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1337 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1338 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1340 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1341 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1342 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1345 err = l2cap_do_send(sk, tx_skb);
1347 l2cap_send_disconn_req(pi->conn, sk);
1355 static int l2cap_ertm_send(struct sock *sk)
1357 struct sk_buff *skb, *tx_skb;
1358 struct l2cap_pinfo *pi = l2cap_pi(sk);
1362 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1365 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
1366 !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1367 tx_skb = skb_clone(skb, GFP_ATOMIC);
1369 if (pi->remote_max_tx &&
1370 bt_cb(skb)->retries == pi->remote_max_tx) {
1371 l2cap_send_disconn_req(pi->conn, sk);
1375 bt_cb(skb)->retries++;
1377 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1378 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1379 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1380 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1383 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1384 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1385 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1388 err = l2cap_do_send(sk, tx_skb);
1390 l2cap_send_disconn_req(pi->conn, sk);
1393 __mod_retrans_timer();
1395 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1396 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1398 pi->unacked_frames++;
1400 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1401 sk->sk_send_head = NULL;
1403 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1409 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1411 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1412 struct sk_buff **frag;
1415 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1422 /* Continuation fragments (no L2CAP header) */
1423 frag = &skb_shinfo(skb)->frag_list;
1425 count = min_t(unsigned int, conn->mtu, len);
1427 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1430 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1436 frag = &(*frag)->next;
1442 static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1444 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1445 struct sk_buff *skb;
1446 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1447 struct l2cap_hdr *lh;
1449 BT_DBG("sk %p len %d", sk, (int)len);
1451 count = min_t(unsigned int, (conn->mtu - hlen), len);
1452 skb = bt_skb_send_alloc(sk, count + hlen,
1453 msg->msg_flags & MSG_DONTWAIT, &err);
1455 return ERR_PTR(-ENOMEM);
1457 /* Create L2CAP header */
1458 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1459 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1460 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1461 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1463 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1464 if (unlikely(err < 0)) {
1466 return ERR_PTR(err);
1471 static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1473 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1474 struct sk_buff *skb;
1475 int err, count, hlen = L2CAP_HDR_SIZE;
1476 struct l2cap_hdr *lh;
1478 BT_DBG("sk %p len %d", sk, (int)len);
1480 count = min_t(unsigned int, (conn->mtu - hlen), len);
1481 skb = bt_skb_send_alloc(sk, count + hlen,
1482 msg->msg_flags & MSG_DONTWAIT, &err);
1484 return ERR_PTR(-ENOMEM);
1486 /* Create L2CAP header */
1487 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1488 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1489 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1491 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1492 if (unlikely(err < 0)) {
1494 return ERR_PTR(err);
1499 static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1501 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1502 struct sk_buff *skb;
1503 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1504 struct l2cap_hdr *lh;
1506 BT_DBG("sk %p len %d", sk, (int)len);
1511 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1514 count = min_t(unsigned int, (conn->mtu - hlen), len);
1515 skb = bt_skb_send_alloc(sk, count + hlen,
1516 msg->msg_flags & MSG_DONTWAIT, &err);
1518 return ERR_PTR(-ENOMEM);
1520 /* Create L2CAP header */
1521 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1522 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1523 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1524 put_unaligned_le16(control, skb_put(skb, 2));
1526 put_unaligned_le16(sdulen, skb_put(skb, 2));
1528 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1529 if (unlikely(err < 0)) {
1531 return ERR_PTR(err);
1534 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1535 put_unaligned_le16(0, skb_put(skb, 2));
1537 bt_cb(skb)->retries = 0;
1541 static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1543 struct l2cap_pinfo *pi = l2cap_pi(sk);
1544 struct sk_buff *skb;
1545 struct sk_buff_head sar_queue;
1549 __skb_queue_head_init(&sar_queue);
1550 control = L2CAP_SDU_START;
1551 skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len);
1553 return PTR_ERR(skb);
1555 __skb_queue_tail(&sar_queue, skb);
1556 len -= pi->max_pdu_size;
1557 size +=pi->max_pdu_size;
1563 if (len > pi->max_pdu_size) {
1564 control |= L2CAP_SDU_CONTINUE;
1565 buflen = pi->max_pdu_size;
1567 control |= L2CAP_SDU_END;
1571 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
1573 skb_queue_purge(&sar_queue);
1574 return PTR_ERR(skb);
1577 __skb_queue_tail(&sar_queue, skb);
1582 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1583 if (sk->sk_send_head == NULL)
1584 sk->sk_send_head = sar_queue.next;
1589 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1591 struct sock *sk = sock->sk;
1592 struct l2cap_pinfo *pi = l2cap_pi(sk);
1593 struct sk_buff *skb;
1597 BT_DBG("sock %p, sk %p", sock, sk);
1599 err = sock_error(sk);
1603 if (msg->msg_flags & MSG_OOB)
1606 /* Check outgoing MTU */
1607 if (sk->sk_type == SOCK_SEQPACKET && pi->mode == L2CAP_MODE_BASIC &&
1613 if (sk->sk_state != BT_CONNECTED) {
1618 /* Connectionless channel */
1619 if (sk->sk_type == SOCK_DGRAM) {
1620 skb = l2cap_create_connless_pdu(sk, msg, len);
1621 err = l2cap_do_send(sk, skb);
1626 case L2CAP_MODE_BASIC:
1627 /* Create a basic PDU */
1628 skb = l2cap_create_basic_pdu(sk, msg, len);
1634 err = l2cap_do_send(sk, skb);
1639 case L2CAP_MODE_ERTM:
1640 case L2CAP_MODE_STREAMING:
1641 /* Entire SDU fits into one PDU */
1642 if (len <= pi->max_pdu_size) {
1643 control = L2CAP_SDU_UNSEGMENTED;
1644 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1649 __skb_queue_tail(TX_QUEUE(sk), skb);
1650 if (sk->sk_send_head == NULL)
1651 sk->sk_send_head = skb;
1653 /* Segment SDU into multiples PDUs */
1654 err = l2cap_sar_segment_sdu(sk, msg, len);
1659 if (pi->mode == L2CAP_MODE_STREAMING)
1660 err = l2cap_streaming_send(sk);
1662 err = l2cap_ertm_send(sk);
1669 BT_DBG("bad state %1.1x", pi->mode);
1678 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1680 struct sock *sk = sock->sk;
1684 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1685 struct l2cap_conn_rsp rsp;
1687 sk->sk_state = BT_CONFIG;
1689 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1690 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1691 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1692 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1693 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1694 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1702 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1705 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1707 struct sock *sk = sock->sk;
1708 struct l2cap_options opts;
1712 BT_DBG("sk %p", sk);
1718 opts.imtu = l2cap_pi(sk)->imtu;
1719 opts.omtu = l2cap_pi(sk)->omtu;
1720 opts.flush_to = l2cap_pi(sk)->flush_to;
1721 opts.mode = l2cap_pi(sk)->mode;
1722 opts.fcs = l2cap_pi(sk)->fcs;
1724 len = min_t(unsigned int, sizeof(opts), optlen);
1725 if (copy_from_user((char *) &opts, optval, len)) {
1730 l2cap_pi(sk)->imtu = opts.imtu;
1731 l2cap_pi(sk)->omtu = opts.omtu;
1732 l2cap_pi(sk)->mode = opts.mode;
1733 l2cap_pi(sk)->fcs = opts.fcs;
1737 if (get_user(opt, (u32 __user *) optval)) {
1742 if (opt & L2CAP_LM_AUTH)
1743 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1744 if (opt & L2CAP_LM_ENCRYPT)
1745 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1746 if (opt & L2CAP_LM_SECURE)
1747 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1749 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1750 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1762 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
1764 struct sock *sk = sock->sk;
1765 struct bt_security sec;
1769 BT_DBG("sk %p", sk);
1771 if (level == SOL_L2CAP)
1772 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1774 if (level != SOL_BLUETOOTH)
1775 return -ENOPROTOOPT;
1781 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1786 sec.level = BT_SECURITY_LOW;
1788 len = min_t(unsigned int, sizeof(sec), optlen);
1789 if (copy_from_user((char *) &sec, optval, len)) {
1794 if (sec.level < BT_SECURITY_LOW ||
1795 sec.level > BT_SECURITY_HIGH) {
1800 l2cap_pi(sk)->sec_level = sec.level;
1803 case BT_DEFER_SETUP:
1804 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1809 if (get_user(opt, (u32 __user *) optval)) {
1814 bt_sk(sk)->defer_setup = opt;
1826 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1828 struct sock *sk = sock->sk;
1829 struct l2cap_options opts;
1830 struct l2cap_conninfo cinfo;
1834 BT_DBG("sk %p", sk);
1836 if (get_user(len, optlen))
1843 opts.imtu = l2cap_pi(sk)->imtu;
1844 opts.omtu = l2cap_pi(sk)->omtu;
1845 opts.flush_to = l2cap_pi(sk)->flush_to;
1846 opts.mode = l2cap_pi(sk)->mode;
1847 opts.fcs = l2cap_pi(sk)->fcs;
1849 len = min_t(unsigned int, len, sizeof(opts));
1850 if (copy_to_user(optval, (char *) &opts, len))
1856 switch (l2cap_pi(sk)->sec_level) {
1857 case BT_SECURITY_LOW:
1858 opt = L2CAP_LM_AUTH;
1860 case BT_SECURITY_MEDIUM:
1861 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1863 case BT_SECURITY_HIGH:
1864 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1872 if (l2cap_pi(sk)->role_switch)
1873 opt |= L2CAP_LM_MASTER;
1875 if (l2cap_pi(sk)->force_reliable)
1876 opt |= L2CAP_LM_RELIABLE;
1878 if (put_user(opt, (u32 __user *) optval))
1882 case L2CAP_CONNINFO:
1883 if (sk->sk_state != BT_CONNECTED &&
1884 !(sk->sk_state == BT_CONNECT2 &&
1885 bt_sk(sk)->defer_setup)) {
1890 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1891 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1893 len = min_t(unsigned int, len, sizeof(cinfo));
1894 if (copy_to_user(optval, (char *) &cinfo, len))
1908 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1910 struct sock *sk = sock->sk;
1911 struct bt_security sec;
1914 BT_DBG("sk %p", sk);
1916 if (level == SOL_L2CAP)
1917 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1919 if (level != SOL_BLUETOOTH)
1920 return -ENOPROTOOPT;
1922 if (get_user(len, optlen))
1929 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1934 sec.level = l2cap_pi(sk)->sec_level;
1936 len = min_t(unsigned int, len, sizeof(sec));
1937 if (copy_to_user(optval, (char *) &sec, len))
1942 case BT_DEFER_SETUP:
1943 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1948 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1962 static int l2cap_sock_shutdown(struct socket *sock, int how)
1964 struct sock *sk = sock->sk;
1967 BT_DBG("sock %p, sk %p", sock, sk);
1973 if (!sk->sk_shutdown) {
1974 sk->sk_shutdown = SHUTDOWN_MASK;
1975 l2cap_sock_clear_timer(sk);
1976 __l2cap_sock_close(sk, 0);
1978 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1979 err = bt_sock_wait_state(sk, BT_CLOSED,
1986 static int l2cap_sock_release(struct socket *sock)
1988 struct sock *sk = sock->sk;
1991 BT_DBG("sock %p, sk %p", sock, sk);
1996 err = l2cap_sock_shutdown(sock, 2);
1999 l2cap_sock_kill(sk);
2003 static void l2cap_chan_ready(struct sock *sk)
2005 struct sock *parent = bt_sk(sk)->parent;
2007 BT_DBG("sk %p, parent %p", sk, parent);
2009 l2cap_pi(sk)->conf_state = 0;
2010 l2cap_sock_clear_timer(sk);
2013 /* Outgoing channel.
2014 * Wake up socket sleeping on connect.
2016 sk->sk_state = BT_CONNECTED;
2017 sk->sk_state_change(sk);
2019 /* Incoming channel.
2020 * Wake up socket sleeping on accept.
2022 parent->sk_data_ready(parent, 0);
2026 /* Copy frame to all raw sockets on that connection */
2027 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2029 struct l2cap_chan_list *l = &conn->chan_list;
2030 struct sk_buff *nskb;
2033 BT_DBG("conn %p", conn);
2035 read_lock(&l->lock);
2036 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2037 if (sk->sk_type != SOCK_RAW)
2040 /* Don't send frame to the socket it came from */
2043 nskb = skb_clone(skb, GFP_ATOMIC);
2047 if (sock_queue_rcv_skb(sk, nskb))
2050 read_unlock(&l->lock);
2053 /* ---- L2CAP signalling commands ---- */
2054 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2055 u8 code, u8 ident, u16 dlen, void *data)
2057 struct sk_buff *skb, **frag;
2058 struct l2cap_cmd_hdr *cmd;
2059 struct l2cap_hdr *lh;
2062 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2063 conn, code, ident, dlen);
2065 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2066 count = min_t(unsigned int, conn->mtu, len);
2068 skb = bt_skb_alloc(count, GFP_ATOMIC);
2072 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2073 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2074 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2076 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2079 cmd->len = cpu_to_le16(dlen);
2082 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2083 memcpy(skb_put(skb, count), data, count);
2089 /* Continuation fragments (no L2CAP header) */
2090 frag = &skb_shinfo(skb)->frag_list;
2092 count = min_t(unsigned int, conn->mtu, len);
2094 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2098 memcpy(skb_put(*frag, count), data, count);
2103 frag = &(*frag)->next;
2113 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2115 struct l2cap_conf_opt *opt = *ptr;
2118 len = L2CAP_CONF_OPT_SIZE + opt->len;
2126 *val = *((u8 *) opt->val);
2130 *val = __le16_to_cpu(*((__le16 *) opt->val));
2134 *val = __le32_to_cpu(*((__le32 *) opt->val));
2138 *val = (unsigned long) opt->val;
2142 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2146 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2148 struct l2cap_conf_opt *opt = *ptr;
2150 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2157 *((u8 *) opt->val) = val;
2161 *((__le16 *) opt->val) = cpu_to_le16(val);
2165 *((__le32 *) opt->val) = cpu_to_le32(val);
2169 memcpy(opt->val, (void *) val, len);
2173 *ptr += L2CAP_CONF_OPT_SIZE + len;
2176 static inline void l2cap_ertm_init(struct sock *sk)
2178 l2cap_pi(sk)->expected_ack_seq = 0;
2179 l2cap_pi(sk)->unacked_frames = 0;
2180 l2cap_pi(sk)->buffer_seq = 0;
2181 l2cap_pi(sk)->num_to_ack = 0;
2183 setup_timer(&l2cap_pi(sk)->retrans_timer,
2184 l2cap_retrans_timeout, (unsigned long) sk);
2185 setup_timer(&l2cap_pi(sk)->monitor_timer,
2186 l2cap_monitor_timeout, (unsigned long) sk);
2188 __skb_queue_head_init(SREJ_QUEUE(sk));
2191 static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2193 u32 local_feat_mask = l2cap_feat_mask;
2195 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
2198 case L2CAP_MODE_ERTM:
2199 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2200 case L2CAP_MODE_STREAMING:
2201 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2207 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2210 case L2CAP_MODE_STREAMING:
2211 case L2CAP_MODE_ERTM:
2212 if (l2cap_mode_supported(mode, remote_feat_mask))
2216 return L2CAP_MODE_BASIC;
2220 static int l2cap_build_conf_req(struct sock *sk, void *data)
2222 struct l2cap_pinfo *pi = l2cap_pi(sk);
2223 struct l2cap_conf_req *req = data;
2224 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2225 void *ptr = req->data;
2227 BT_DBG("sk %p", sk);
2229 if (pi->num_conf_req || pi->num_conf_rsp)
2233 case L2CAP_MODE_STREAMING:
2234 case L2CAP_MODE_ERTM:
2235 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2236 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2237 l2cap_send_disconn_req(pi->conn, sk);
2240 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2246 case L2CAP_MODE_BASIC:
2247 if (pi->imtu != L2CAP_DEFAULT_MTU)
2248 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2251 case L2CAP_MODE_ERTM:
2252 rfc.mode = L2CAP_MODE_ERTM;
2253 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2254 rfc.max_transmit = L2CAP_DEFAULT_MAX_TX;
2255 rfc.retrans_timeout = 0;
2256 rfc.monitor_timeout = 0;
2257 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2260 sizeof(rfc), (unsigned long) &rfc);
2262 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2265 if (pi->fcs == L2CAP_FCS_NONE ||
2266 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2267 pi->fcs = L2CAP_FCS_NONE;
2268 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2272 case L2CAP_MODE_STREAMING:
2273 rfc.mode = L2CAP_MODE_STREAMING;
2275 rfc.max_transmit = 0;
2276 rfc.retrans_timeout = 0;
2277 rfc.monitor_timeout = 0;
2278 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2280 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2281 sizeof(rfc), (unsigned long) &rfc);
2283 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2286 if (pi->fcs == L2CAP_FCS_NONE ||
2287 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2288 pi->fcs = L2CAP_FCS_NONE;
2289 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2294 /* FIXME: Need actual value of the flush timeout */
2295 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2296 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2298 req->dcid = cpu_to_le16(pi->dcid);
2299 req->flags = cpu_to_le16(0);
2304 static int l2cap_parse_conf_req(struct sock *sk, void *data)
2306 struct l2cap_pinfo *pi = l2cap_pi(sk);
2307 struct l2cap_conf_rsp *rsp = data;
2308 void *ptr = rsp->data;
2309 void *req = pi->conf_req;
2310 int len = pi->conf_len;
2311 int type, hint, olen;
2313 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2314 u16 mtu = L2CAP_DEFAULT_MTU;
2315 u16 result = L2CAP_CONF_SUCCESS;
2317 BT_DBG("sk %p", sk);
2319 while (len >= L2CAP_CONF_OPT_SIZE) {
2320 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2322 hint = type & L2CAP_CONF_HINT;
2323 type &= L2CAP_CONF_MASK;
2326 case L2CAP_CONF_MTU:
2330 case L2CAP_CONF_FLUSH_TO:
2334 case L2CAP_CONF_QOS:
2337 case L2CAP_CONF_RFC:
2338 if (olen == sizeof(rfc))
2339 memcpy(&rfc, (void *) val, olen);
2342 case L2CAP_CONF_FCS:
2343 if (val == L2CAP_FCS_NONE)
2344 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2352 result = L2CAP_CONF_UNKNOWN;
2353 *((u8 *) ptr++) = type;
2358 if (pi->num_conf_rsp || pi->num_conf_req)
2362 case L2CAP_MODE_STREAMING:
2363 case L2CAP_MODE_ERTM:
2364 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2365 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2366 return -ECONNREFUSED;
2369 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2374 if (pi->mode != rfc.mode) {
2375 result = L2CAP_CONF_UNACCEPT;
2376 rfc.mode = pi->mode;
2378 if (pi->num_conf_rsp == 1)
2379 return -ECONNREFUSED;
2381 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2382 sizeof(rfc), (unsigned long) &rfc);
2386 if (result == L2CAP_CONF_SUCCESS) {
2387 /* Configure output options and let the other side know
2388 * which ones we don't like. */
2390 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2391 result = L2CAP_CONF_UNACCEPT;
2394 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2396 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2399 case L2CAP_MODE_BASIC:
2400 pi->fcs = L2CAP_FCS_NONE;
2401 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2404 case L2CAP_MODE_ERTM:
2405 pi->remote_tx_win = rfc.txwin_size;
2406 pi->remote_max_tx = rfc.max_transmit;
2407 pi->max_pdu_size = rfc.max_pdu_size;
2409 rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
2410 rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
2412 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2414 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2415 sizeof(rfc), (unsigned long) &rfc);
2419 case L2CAP_MODE_STREAMING:
2420 pi->remote_tx_win = rfc.txwin_size;
2421 pi->max_pdu_size = rfc.max_pdu_size;
2423 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2425 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2426 sizeof(rfc), (unsigned long) &rfc);
2431 result = L2CAP_CONF_UNACCEPT;
2433 memset(&rfc, 0, sizeof(rfc));
2434 rfc.mode = pi->mode;
2437 if (result == L2CAP_CONF_SUCCESS)
2438 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2440 rsp->scid = cpu_to_le16(pi->dcid);
2441 rsp->result = cpu_to_le16(result);
2442 rsp->flags = cpu_to_le16(0x0000);
2447 static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2449 struct l2cap_pinfo *pi = l2cap_pi(sk);
2450 struct l2cap_conf_req *req = data;
2451 void *ptr = req->data;
2454 struct l2cap_conf_rfc rfc;
2456 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2458 while (len >= L2CAP_CONF_OPT_SIZE) {
2459 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2462 case L2CAP_CONF_MTU:
2463 if (val < L2CAP_DEFAULT_MIN_MTU) {
2464 *result = L2CAP_CONF_UNACCEPT;
2465 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2468 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2471 case L2CAP_CONF_FLUSH_TO:
2473 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2477 case L2CAP_CONF_RFC:
2478 if (olen == sizeof(rfc))
2479 memcpy(&rfc, (void *)val, olen);
2481 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2482 rfc.mode != pi->mode)
2483 return -ECONNREFUSED;
2485 pi->mode = rfc.mode;
2488 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2489 sizeof(rfc), (unsigned long) &rfc);
2494 if (*result == L2CAP_CONF_SUCCESS) {
2496 case L2CAP_MODE_ERTM:
2497 pi->remote_tx_win = rfc.txwin_size;
2498 pi->retrans_timeout = rfc.retrans_timeout;
2499 pi->monitor_timeout = rfc.monitor_timeout;
2500 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2502 case L2CAP_MODE_STREAMING:
2503 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2508 req->dcid = cpu_to_le16(pi->dcid);
2509 req->flags = cpu_to_le16(0x0000);
2514 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
2516 struct l2cap_conf_rsp *rsp = data;
2517 void *ptr = rsp->data;
2519 BT_DBG("sk %p", sk);
2521 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2522 rsp->result = cpu_to_le16(result);
2523 rsp->flags = cpu_to_le16(flags);
2528 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2530 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2532 if (rej->reason != 0x0000)
2535 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2536 cmd->ident == conn->info_ident) {
2537 del_timer(&conn->info_timer);
2539 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2540 conn->info_ident = 0;
2542 l2cap_conn_start(conn);
2548 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2550 struct l2cap_chan_list *list = &conn->chan_list;
2551 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2552 struct l2cap_conn_rsp rsp;
2553 struct sock *sk, *parent;
2554 int result, status = L2CAP_CS_NO_INFO;
2556 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2557 __le16 psm = req->psm;
2559 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2561 /* Check if we have socket listening on psm */
2562 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2564 result = L2CAP_CR_BAD_PSM;
2568 /* Check if the ACL is secure enough (if not SDP) */
2569 if (psm != cpu_to_le16(0x0001) &&
2570 !hci_conn_check_link_mode(conn->hcon)) {
2571 conn->disc_reason = 0x05;
2572 result = L2CAP_CR_SEC_BLOCK;
2576 result = L2CAP_CR_NO_MEM;
2578 /* Check for backlog size */
2579 if (sk_acceptq_is_full(parent)) {
2580 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2584 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
2588 write_lock_bh(&list->lock);
2590 /* Check if we already have channel with that dcid */
2591 if (__l2cap_get_chan_by_dcid(list, scid)) {
2592 write_unlock_bh(&list->lock);
2593 sock_set_flag(sk, SOCK_ZAPPED);
2594 l2cap_sock_kill(sk);
2598 hci_conn_hold(conn->hcon);
2600 l2cap_sock_init(sk, parent);
2601 bacpy(&bt_sk(sk)->src, conn->src);
2602 bacpy(&bt_sk(sk)->dst, conn->dst);
2603 l2cap_pi(sk)->psm = psm;
2604 l2cap_pi(sk)->dcid = scid;
2606 __l2cap_chan_add(conn, sk, parent);
2607 dcid = l2cap_pi(sk)->scid;
2609 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2611 l2cap_pi(sk)->ident = cmd->ident;
2613 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2614 if (l2cap_check_security(sk)) {
2615 if (bt_sk(sk)->defer_setup) {
2616 sk->sk_state = BT_CONNECT2;
2617 result = L2CAP_CR_PEND;
2618 status = L2CAP_CS_AUTHOR_PEND;
2619 parent->sk_data_ready(parent, 0);
2621 sk->sk_state = BT_CONFIG;
2622 result = L2CAP_CR_SUCCESS;
2623 status = L2CAP_CS_NO_INFO;
2626 sk->sk_state = BT_CONNECT2;
2627 result = L2CAP_CR_PEND;
2628 status = L2CAP_CS_AUTHEN_PEND;
2631 sk->sk_state = BT_CONNECT2;
2632 result = L2CAP_CR_PEND;
2633 status = L2CAP_CS_NO_INFO;
2636 write_unlock_bh(&list->lock);
2639 bh_unlock_sock(parent);
2642 rsp.scid = cpu_to_le16(scid);
2643 rsp.dcid = cpu_to_le16(dcid);
2644 rsp.result = cpu_to_le16(result);
2645 rsp.status = cpu_to_le16(status);
2646 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2648 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2649 struct l2cap_info_req info;
2650 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2652 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2653 conn->info_ident = l2cap_get_ident(conn);
2655 mod_timer(&conn->info_timer, jiffies +
2656 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2658 l2cap_send_cmd(conn, conn->info_ident,
2659 L2CAP_INFO_REQ, sizeof(info), &info);
2665 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2667 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2668 u16 scid, dcid, result, status;
2672 scid = __le16_to_cpu(rsp->scid);
2673 dcid = __le16_to_cpu(rsp->dcid);
2674 result = __le16_to_cpu(rsp->result);
2675 status = __le16_to_cpu(rsp->status);
2677 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2680 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2684 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2690 case L2CAP_CR_SUCCESS:
2691 sk->sk_state = BT_CONFIG;
2692 l2cap_pi(sk)->ident = 0;
2693 l2cap_pi(sk)->dcid = dcid;
2694 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2696 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2698 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2699 l2cap_build_conf_req(sk, req), req);
2700 l2cap_pi(sk)->num_conf_req++;
2704 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
2708 l2cap_chan_del(sk, ECONNREFUSED);
2716 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2718 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2724 dcid = __le16_to_cpu(req->dcid);
2725 flags = __le16_to_cpu(req->flags);
2727 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2729 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2733 if (sk->sk_state == BT_DISCONN)
2736 /* Reject if config buffer is too small. */
2737 len = cmd_len - sizeof(*req);
2738 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2739 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2740 l2cap_build_conf_rsp(sk, rsp,
2741 L2CAP_CONF_REJECT, flags), rsp);
2746 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2747 l2cap_pi(sk)->conf_len += len;
2749 if (flags & 0x0001) {
2750 /* Incomplete config. Send empty response. */
2751 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2752 l2cap_build_conf_rsp(sk, rsp,
2753 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2757 /* Complete config. */
2758 len = l2cap_parse_conf_req(sk, rsp);
2760 l2cap_send_disconn_req(conn, sk);
2764 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2765 l2cap_pi(sk)->num_conf_rsp++;
2767 /* Reset config buffer. */
2768 l2cap_pi(sk)->conf_len = 0;
2770 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2773 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2774 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2775 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2776 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2778 sk->sk_state = BT_CONNECTED;
2780 l2cap_pi(sk)->next_tx_seq = 0;
2781 l2cap_pi(sk)->expected_tx_seq = 0;
2782 __skb_queue_head_init(TX_QUEUE(sk));
2783 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2784 l2cap_ertm_init(sk);
2786 l2cap_chan_ready(sk);
2790 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2792 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2793 l2cap_build_conf_req(sk, buf), buf);
2794 l2cap_pi(sk)->num_conf_req++;
2802 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2804 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2805 u16 scid, flags, result;
2808 scid = __le16_to_cpu(rsp->scid);
2809 flags = __le16_to_cpu(rsp->flags);
2810 result = __le16_to_cpu(rsp->result);
2812 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2813 scid, flags, result);
2815 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2820 case L2CAP_CONF_SUCCESS:
2823 case L2CAP_CONF_UNACCEPT:
2824 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2825 int len = cmd->len - sizeof(*rsp);
2828 /* throw out any old stored conf requests */
2829 result = L2CAP_CONF_SUCCESS;
2830 len = l2cap_parse_conf_rsp(sk, rsp->data,
2833 l2cap_send_disconn_req(conn, sk);
2837 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2838 L2CAP_CONF_REQ, len, req);
2839 l2cap_pi(sk)->num_conf_req++;
2840 if (result != L2CAP_CONF_SUCCESS)
2846 sk->sk_state = BT_DISCONN;
2847 sk->sk_err = ECONNRESET;
2848 l2cap_sock_set_timer(sk, HZ * 5);
2849 l2cap_send_disconn_req(conn, sk);
2856 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2858 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2859 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
2860 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2861 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2863 sk->sk_state = BT_CONNECTED;
2864 l2cap_pi(sk)->next_tx_seq = 0;
2865 l2cap_pi(sk)->expected_tx_seq = 0;
2866 __skb_queue_head_init(TX_QUEUE(sk));
2867 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2868 l2cap_ertm_init(sk);
2870 l2cap_chan_ready(sk);
2878 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2880 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2881 struct l2cap_disconn_rsp rsp;
2885 scid = __le16_to_cpu(req->scid);
2886 dcid = __le16_to_cpu(req->dcid);
2888 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2890 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2894 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2895 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2896 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2898 sk->sk_shutdown = SHUTDOWN_MASK;
2900 skb_queue_purge(TX_QUEUE(sk));
2902 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
2903 skb_queue_purge(SREJ_QUEUE(sk));
2904 del_timer(&l2cap_pi(sk)->retrans_timer);
2905 del_timer(&l2cap_pi(sk)->monitor_timer);
2908 l2cap_chan_del(sk, ECONNRESET);
2911 l2cap_sock_kill(sk);
2915 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2917 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2921 scid = __le16_to_cpu(rsp->scid);
2922 dcid = __le16_to_cpu(rsp->dcid);
2924 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2926 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2930 skb_queue_purge(TX_QUEUE(sk));
2932 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
2933 skb_queue_purge(SREJ_QUEUE(sk));
2934 del_timer(&l2cap_pi(sk)->retrans_timer);
2935 del_timer(&l2cap_pi(sk)->monitor_timer);
2938 l2cap_chan_del(sk, 0);
2941 l2cap_sock_kill(sk);
2945 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2947 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2950 type = __le16_to_cpu(req->type);
2952 BT_DBG("type 0x%4.4x", type);
2954 if (type == L2CAP_IT_FEAT_MASK) {
2956 u32 feat_mask = l2cap_feat_mask;
2957 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2958 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2959 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2961 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2963 put_unaligned_le32(feat_mask, rsp->data);
2964 l2cap_send_cmd(conn, cmd->ident,
2965 L2CAP_INFO_RSP, sizeof(buf), buf);
2966 } else if (type == L2CAP_IT_FIXED_CHAN) {
2968 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2969 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2970 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2971 memcpy(buf + 4, l2cap_fixed_chan, 8);
2972 l2cap_send_cmd(conn, cmd->ident,
2973 L2CAP_INFO_RSP, sizeof(buf), buf);
2975 struct l2cap_info_rsp rsp;
2976 rsp.type = cpu_to_le16(type);
2977 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2978 l2cap_send_cmd(conn, cmd->ident,
2979 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2985 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2987 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2990 type = __le16_to_cpu(rsp->type);
2991 result = __le16_to_cpu(rsp->result);
2993 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2995 del_timer(&conn->info_timer);
2997 if (type == L2CAP_IT_FEAT_MASK) {
2998 conn->feat_mask = get_unaligned_le32(rsp->data);
3000 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3001 struct l2cap_info_req req;
3002 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3004 conn->info_ident = l2cap_get_ident(conn);
3006 l2cap_send_cmd(conn, conn->info_ident,
3007 L2CAP_INFO_REQ, sizeof(req), &req);
3009 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3010 conn->info_ident = 0;
3012 l2cap_conn_start(conn);
3014 } else if (type == L2CAP_IT_FIXED_CHAN) {
3015 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3016 conn->info_ident = 0;
3018 l2cap_conn_start(conn);
3024 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3026 u8 *data = skb->data;
3028 struct l2cap_cmd_hdr cmd;
3031 l2cap_raw_recv(conn, skb);
3033 while (len >= L2CAP_CMD_HDR_SIZE) {
3035 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3036 data += L2CAP_CMD_HDR_SIZE;
3037 len -= L2CAP_CMD_HDR_SIZE;
3039 cmd_len = le16_to_cpu(cmd.len);
3041 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3043 if (cmd_len > len || !cmd.ident) {
3044 BT_DBG("corrupted command");
3049 case L2CAP_COMMAND_REJ:
3050 l2cap_command_rej(conn, &cmd, data);
3053 case L2CAP_CONN_REQ:
3054 err = l2cap_connect_req(conn, &cmd, data);
3057 case L2CAP_CONN_RSP:
3058 err = l2cap_connect_rsp(conn, &cmd, data);
3061 case L2CAP_CONF_REQ:
3062 err = l2cap_config_req(conn, &cmd, cmd_len, data);
3065 case L2CAP_CONF_RSP:
3066 err = l2cap_config_rsp(conn, &cmd, data);
3069 case L2CAP_DISCONN_REQ:
3070 err = l2cap_disconnect_req(conn, &cmd, data);
3073 case L2CAP_DISCONN_RSP:
3074 err = l2cap_disconnect_rsp(conn, &cmd, data);
3077 case L2CAP_ECHO_REQ:
3078 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
3081 case L2CAP_ECHO_RSP:
3084 case L2CAP_INFO_REQ:
3085 err = l2cap_information_req(conn, &cmd, data);
3088 case L2CAP_INFO_RSP:
3089 err = l2cap_information_rsp(conn, &cmd, data);
3093 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3099 struct l2cap_cmd_rej rej;
3100 BT_DBG("error %d", err);
3102 /* FIXME: Map err to a valid reason */
3103 rej.reason = cpu_to_le16(0);
3104 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3114 static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3116 u16 our_fcs, rcv_fcs;
3117 int hdr_size = L2CAP_HDR_SIZE + 2;
3119 if (pi->fcs == L2CAP_FCS_CRC16) {
3120 skb_trim(skb, skb->len - 2);
3121 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3122 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3124 if (our_fcs != rcv_fcs)
3130 static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3132 struct sk_buff *next_skb;
3134 bt_cb(skb)->tx_seq = tx_seq;
3135 bt_cb(skb)->sar = sar;
3137 next_skb = skb_peek(SREJ_QUEUE(sk));
3139 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3144 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3145 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3149 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3152 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3154 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3157 static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3159 struct l2cap_pinfo *pi = l2cap_pi(sk);
3160 struct sk_buff *_skb;
3163 switch (control & L2CAP_CTRL_SAR) {
3164 case L2CAP_SDU_UNSEGMENTED:
3165 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3170 err = sock_queue_rcv_skb(sk, skb);
3176 case L2CAP_SDU_START:
3177 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3182 pi->sdu_len = get_unaligned_le16(skb->data);
3185 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3191 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3193 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3194 pi->partial_sdu_len = skb->len;
3198 case L2CAP_SDU_CONTINUE:
3199 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3202 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3204 pi->partial_sdu_len += skb->len;
3205 if (pi->partial_sdu_len > pi->sdu_len)
3213 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3216 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3218 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3219 pi->partial_sdu_len += skb->len;
3221 if (pi->partial_sdu_len == pi->sdu_len) {
3222 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3223 err = sock_queue_rcv_skb(sk, _skb);
3237 static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3239 struct sk_buff *skb;
3242 while((skb = skb_peek(SREJ_QUEUE(sk)))) {
3243 if (bt_cb(skb)->tx_seq != tx_seq)
3246 skb = skb_dequeue(SREJ_QUEUE(sk));
3247 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3248 l2cap_sar_reassembly_sdu(sk, skb, control);
3249 l2cap_pi(sk)->buffer_seq_srej =
3250 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3255 static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3257 struct l2cap_pinfo *pi = l2cap_pi(sk);
3258 struct srej_list *l, *tmp;
3261 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) {
3262 if (l->tx_seq == tx_seq) {
3267 control = L2CAP_SUPER_SELECT_REJECT;
3268 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3269 l2cap_send_sframe(pi, control);
3271 list_add_tail(&l->list, SREJ_LIST(sk));
3275 static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3277 struct l2cap_pinfo *pi = l2cap_pi(sk);
3278 struct srej_list *new;
3281 while (tx_seq != pi->expected_tx_seq) {
3282 control = L2CAP_SUPER_SELECT_REJECT;
3283 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3284 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
3285 control |= L2CAP_CTRL_POLL;
3286 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
3288 l2cap_send_sframe(pi, control);
3290 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3291 new->tx_seq = pi->expected_tx_seq++;
3292 list_add_tail(&new->list, SREJ_LIST(sk));
3294 pi->expected_tx_seq++;
3297 static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3299 struct l2cap_pinfo *pi = l2cap_pi(sk);
3300 u8 tx_seq = __get_txseq(rx_control);
3301 u8 req_seq = __get_reqseq(rx_control);
3303 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3306 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3308 pi->expected_ack_seq = req_seq;
3309 l2cap_drop_acked_frames(sk);
3311 if (tx_seq == pi->expected_tx_seq)
3314 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3315 struct srej_list *first;
3317 first = list_first_entry(SREJ_LIST(sk),
3318 struct srej_list, list);
3319 if (tx_seq == first->tx_seq) {
3320 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3321 l2cap_check_srej_gap(sk, tx_seq);
3323 list_del(&first->list);
3326 if (list_empty(SREJ_LIST(sk))) {
3327 pi->buffer_seq = pi->buffer_seq_srej;
3328 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3331 struct srej_list *l;
3332 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3334 list_for_each_entry(l, SREJ_LIST(sk), list) {
3335 if (l->tx_seq == tx_seq) {
3336 l2cap_resend_srejframe(sk, tx_seq);
3340 l2cap_send_srejframe(sk, tx_seq);
3343 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
3345 INIT_LIST_HEAD(SREJ_LIST(sk));
3346 pi->buffer_seq_srej = pi->buffer_seq;
3348 __skb_queue_head_init(SREJ_QUEUE(sk));
3349 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3351 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3353 l2cap_send_srejframe(sk, tx_seq);
3358 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3360 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3361 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3365 if (rx_control & L2CAP_CTRL_FINAL) {
3366 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3367 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3369 sk->sk_send_head = TX_QUEUE(sk)->next;
3370 pi->next_tx_seq = pi->expected_ack_seq;
3371 l2cap_ertm_send(sk);
3375 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3377 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3381 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK;
3382 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1) {
3383 tx_control |= L2CAP_SUPER_RCV_READY;
3384 tx_control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3385 l2cap_send_sframe(pi, tx_control);
3390 static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3392 struct l2cap_pinfo *pi = l2cap_pi(sk);
3393 u8 tx_seq = __get_reqseq(rx_control);
3395 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3397 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3398 case L2CAP_SUPER_RCV_READY:
3399 if (rx_control & L2CAP_CTRL_POLL) {
3400 u16 control = L2CAP_CTRL_FINAL;
3401 control |= L2CAP_SUPER_RCV_READY |
3402 (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT);
3403 l2cap_send_sframe(l2cap_pi(sk), control);
3404 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3406 } else if (rx_control & L2CAP_CTRL_FINAL) {
3407 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3408 pi->expected_ack_seq = tx_seq;
3409 l2cap_drop_acked_frames(sk);
3411 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3412 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3414 sk->sk_send_head = TX_QUEUE(sk)->next;
3415 pi->next_tx_seq = pi->expected_ack_seq;
3416 l2cap_ertm_send(sk);
3419 if (!(pi->conn_state & L2CAP_CONN_WAIT_F))
3422 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3423 del_timer(&pi->monitor_timer);
3425 if (pi->unacked_frames > 0)
3426 __mod_retrans_timer();
3428 pi->expected_ack_seq = tx_seq;
3429 l2cap_drop_acked_frames(sk);
3431 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3432 (pi->unacked_frames > 0))
3433 __mod_retrans_timer();
3435 l2cap_ertm_send(sk);
3436 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3440 case L2CAP_SUPER_REJECT:
3441 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3443 pi->expected_ack_seq = __get_reqseq(rx_control);
3444 l2cap_drop_acked_frames(sk);
3446 if (rx_control & L2CAP_CTRL_FINAL) {
3447 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3448 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
3450 sk->sk_send_head = TX_QUEUE(sk)->next;
3451 pi->next_tx_seq = pi->expected_ack_seq;
3452 l2cap_ertm_send(sk);
3455 sk->sk_send_head = TX_QUEUE(sk)->next;
3456 pi->next_tx_seq = pi->expected_ack_seq;
3457 l2cap_ertm_send(sk);
3459 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3460 pi->srej_save_reqseq = tx_seq;
3461 pi->conn_state |= L2CAP_CONN_REJ_ACT;
3467 case L2CAP_SUPER_SELECT_REJECT:
3468 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3470 if (rx_control & L2CAP_CTRL_POLL) {
3471 l2cap_retransmit_frame(sk, tx_seq);
3472 pi->expected_ack_seq = tx_seq;
3473 l2cap_drop_acked_frames(sk);
3474 l2cap_ertm_send(sk);
3475 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3476 pi->srej_save_reqseq = tx_seq;
3477 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3479 } else if (rx_control & L2CAP_CTRL_FINAL) {
3480 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3481 pi->srej_save_reqseq == tx_seq)
3482 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3484 l2cap_retransmit_frame(sk, tx_seq);
3487 l2cap_retransmit_frame(sk, tx_seq);
3488 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3489 pi->srej_save_reqseq = tx_seq;
3490 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3495 case L2CAP_SUPER_RCV_NOT_READY:
3496 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3497 pi->expected_ack_seq = tx_seq;
3498 l2cap_drop_acked_frames(sk);
3500 del_timer(&l2cap_pi(sk)->retrans_timer);
3501 if (rx_control & L2CAP_CTRL_POLL) {
3502 u16 control = L2CAP_CTRL_FINAL;
3503 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
3511 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3514 struct l2cap_pinfo *pi;
3519 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3521 BT_DBG("unknown cid 0x%4.4x", cid);
3527 BT_DBG("sk %p, len %d", sk, skb->len);
3529 if (sk->sk_state != BT_CONNECTED)
3533 case L2CAP_MODE_BASIC:
3534 /* If socket recv buffers overflows we drop data here
3535 * which is *bad* because L2CAP has to be reliable.
3536 * But we don't have any other choice. L2CAP doesn't
3537 * provide flow control mechanism. */
3539 if (pi->imtu < skb->len)
3542 if (!sock_queue_rcv_skb(sk, skb))
3546 case L2CAP_MODE_ERTM:
3547 control = get_unaligned_le16(skb->data);
3551 if (__is_sar_start(control))
3554 if (pi->fcs == L2CAP_FCS_CRC16)
3558 * We can just drop the corrupted I-frame here.
3559 * Receiver will miss it and start proper recovery
3560 * procedures and ask retransmission.
3562 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE)
3565 if (l2cap_check_fcs(pi, skb))
3568 if (__is_iframe(control))
3569 err = l2cap_data_channel_iframe(sk, control, skb);
3571 err = l2cap_data_channel_sframe(sk, control, skb);
3577 case L2CAP_MODE_STREAMING:
3578 control = get_unaligned_le16(skb->data);
3582 if (__is_sar_start(control))
3585 if (pi->fcs == L2CAP_FCS_CRC16)
3588 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control))
3591 if (l2cap_check_fcs(pi, skb))
3594 tx_seq = __get_txseq(control);
3596 if (pi->expected_tx_seq == tx_seq)
3597 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3599 pi->expected_tx_seq = tx_seq + 1;
3601 err = l2cap_sar_reassembly_sdu(sk, skb, control);
3606 BT_DBG("sk %p: bad mode 0x%2.2x", sk, l2cap_pi(sk)->mode);
3620 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3624 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3628 BT_DBG("sk %p, len %d", sk, skb->len);
3630 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3633 if (l2cap_pi(sk)->imtu < skb->len)
3636 if (!sock_queue_rcv_skb(sk, skb))
3648 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3650 struct l2cap_hdr *lh = (void *) skb->data;
3654 skb_pull(skb, L2CAP_HDR_SIZE);
3655 cid = __le16_to_cpu(lh->cid);
3656 len = __le16_to_cpu(lh->len);
3658 if (len != skb->len) {
3663 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3666 case L2CAP_CID_SIGNALING:
3667 l2cap_sig_channel(conn, skb);
3670 case L2CAP_CID_CONN_LESS:
3671 psm = get_unaligned_le16(skb->data);
3673 l2cap_conless_channel(conn, psm, skb);
3677 l2cap_data_channel(conn, cid, skb);
3682 /* ---- L2CAP interface with lower layer (HCI) ---- */
3684 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3686 int exact = 0, lm1 = 0, lm2 = 0;
3687 register struct sock *sk;
3688 struct hlist_node *node;
3690 if (type != ACL_LINK)
3693 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3695 /* Find listening sockets and check their link_mode */
3696 read_lock(&l2cap_sk_list.lock);
3697 sk_for_each(sk, node, &l2cap_sk_list.head) {
3698 if (sk->sk_state != BT_LISTEN)
3701 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3702 lm1 |= HCI_LM_ACCEPT;
3703 if (l2cap_pi(sk)->role_switch)
3704 lm1 |= HCI_LM_MASTER;
3706 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3707 lm2 |= HCI_LM_ACCEPT;
3708 if (l2cap_pi(sk)->role_switch)
3709 lm2 |= HCI_LM_MASTER;
3712 read_unlock(&l2cap_sk_list.lock);
3714 return exact ? lm1 : lm2;
3717 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3719 struct l2cap_conn *conn;
3721 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3723 if (hcon->type != ACL_LINK)
3727 conn = l2cap_conn_add(hcon, status);
3729 l2cap_conn_ready(conn);
3731 l2cap_conn_del(hcon, bt_err(status));
3736 static int l2cap_disconn_ind(struct hci_conn *hcon)
3738 struct l2cap_conn *conn = hcon->l2cap_data;
3740 BT_DBG("hcon %p", hcon);
3742 if (hcon->type != ACL_LINK || !conn)
3745 return conn->disc_reason;
3748 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3750 BT_DBG("hcon %p reason %d", hcon, reason);
3752 if (hcon->type != ACL_LINK)
3755 l2cap_conn_del(hcon, bt_err(reason));
3760 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3762 if (sk->sk_type != SOCK_SEQPACKET)
3765 if (encrypt == 0x00) {
3766 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3767 l2cap_sock_clear_timer(sk);
3768 l2cap_sock_set_timer(sk, HZ * 5);
3769 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3770 __l2cap_sock_close(sk, ECONNREFUSED);
3772 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3773 l2cap_sock_clear_timer(sk);
3777 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3779 struct l2cap_chan_list *l;
3780 struct l2cap_conn *conn = hcon->l2cap_data;
3786 l = &conn->chan_list;
3788 BT_DBG("conn %p", conn);
3790 read_lock(&l->lock);
3792 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3795 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
3800 if (!status && (sk->sk_state == BT_CONNECTED ||
3801 sk->sk_state == BT_CONFIG)) {
3802 l2cap_check_encryption(sk, encrypt);
3807 if (sk->sk_state == BT_CONNECT) {
3809 struct l2cap_conn_req req;
3810 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3811 req.psm = l2cap_pi(sk)->psm;
3813 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
3815 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3816 L2CAP_CONN_REQ, sizeof(req), &req);
3818 l2cap_sock_clear_timer(sk);
3819 l2cap_sock_set_timer(sk, HZ / 10);
3821 } else if (sk->sk_state == BT_CONNECT2) {
3822 struct l2cap_conn_rsp rsp;
3826 sk->sk_state = BT_CONFIG;
3827 result = L2CAP_CR_SUCCESS;
3829 sk->sk_state = BT_DISCONN;
3830 l2cap_sock_set_timer(sk, HZ / 10);
3831 result = L2CAP_CR_SEC_BLOCK;
3834 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3835 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3836 rsp.result = cpu_to_le16(result);
3837 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3838 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3839 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3845 read_unlock(&l->lock);
3850 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3852 struct l2cap_conn *conn = hcon->l2cap_data;
3854 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
3857 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3859 if (flags & ACL_START) {
3860 struct l2cap_hdr *hdr;
3864 BT_ERR("Unexpected start frame (len %d)", skb->len);
3865 kfree_skb(conn->rx_skb);
3866 conn->rx_skb = NULL;
3868 l2cap_conn_unreliable(conn, ECOMM);
3872 BT_ERR("Frame is too short (len %d)", skb->len);
3873 l2cap_conn_unreliable(conn, ECOMM);
3877 hdr = (struct l2cap_hdr *) skb->data;
3878 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
3880 if (len == skb->len) {
3881 /* Complete frame received */
3882 l2cap_recv_frame(conn, skb);
3886 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
3888 if (skb->len > len) {
3889 BT_ERR("Frame is too long (len %d, expected len %d)",
3891 l2cap_conn_unreliable(conn, ECOMM);
3895 /* Allocate skb for the complete frame (with header) */
3896 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
3900 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3902 conn->rx_len = len - skb->len;
3904 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
3906 if (!conn->rx_len) {
3907 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
3908 l2cap_conn_unreliable(conn, ECOMM);
3912 if (skb->len > conn->rx_len) {
3913 BT_ERR("Fragment is too long (len %d, expected %d)",
3914 skb->len, conn->rx_len);
3915 kfree_skb(conn->rx_skb);
3916 conn->rx_skb = NULL;
3918 l2cap_conn_unreliable(conn, ECOMM);
3922 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3924 conn->rx_len -= skb->len;
3926 if (!conn->rx_len) {
3927 /* Complete frame received */
3928 l2cap_recv_frame(conn, conn->rx_skb);
3929 conn->rx_skb = NULL;
3938 static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
3941 struct hlist_node *node;
3944 read_lock_bh(&l2cap_sk_list.lock);
3946 sk_for_each(sk, node, &l2cap_sk_list.head) {
3947 struct l2cap_pinfo *pi = l2cap_pi(sk);
3949 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
3950 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
3951 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
3952 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
3955 read_unlock_bh(&l2cap_sk_list.lock);
3960 static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
3962 static const struct proto_ops l2cap_sock_ops = {
3963 .family = PF_BLUETOOTH,
3964 .owner = THIS_MODULE,
3965 .release = l2cap_sock_release,
3966 .bind = l2cap_sock_bind,
3967 .connect = l2cap_sock_connect,
3968 .listen = l2cap_sock_listen,
3969 .accept = l2cap_sock_accept,
3970 .getname = l2cap_sock_getname,
3971 .sendmsg = l2cap_sock_sendmsg,
3972 .recvmsg = l2cap_sock_recvmsg,
3973 .poll = bt_sock_poll,
3974 .ioctl = bt_sock_ioctl,
3975 .mmap = sock_no_mmap,
3976 .socketpair = sock_no_socketpair,
3977 .shutdown = l2cap_sock_shutdown,
3978 .setsockopt = l2cap_sock_setsockopt,
3979 .getsockopt = l2cap_sock_getsockopt
3982 static const struct net_proto_family l2cap_sock_family_ops = {
3983 .family = PF_BLUETOOTH,
3984 .owner = THIS_MODULE,
3985 .create = l2cap_sock_create,
3988 static struct hci_proto l2cap_hci_proto = {
3990 .id = HCI_PROTO_L2CAP,
3991 .connect_ind = l2cap_connect_ind,
3992 .connect_cfm = l2cap_connect_cfm,
3993 .disconn_ind = l2cap_disconn_ind,
3994 .disconn_cfm = l2cap_disconn_cfm,
3995 .security_cfm = l2cap_security_cfm,
3996 .recv_acldata = l2cap_recv_acldata
3999 static int __init l2cap_init(void)
4003 err = proto_register(&l2cap_proto, 0);
4007 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4009 BT_ERR("L2CAP socket registration failed");
4013 err = hci_register_proto(&l2cap_hci_proto);
4015 BT_ERR("L2CAP protocol registration failed");
4016 bt_sock_unregister(BTPROTO_L2CAP);
4020 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
4021 BT_ERR("Failed to create L2CAP info file");
4023 BT_INFO("L2CAP ver %s", VERSION);
4024 BT_INFO("L2CAP socket layer initialized");
4029 proto_unregister(&l2cap_proto);
4033 static void __exit l2cap_exit(void)
4035 class_remove_file(bt_class, &class_attr_l2cap);
4037 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4038 BT_ERR("L2CAP socket unregistration failed");
4040 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4041 BT_ERR("L2CAP protocol unregistration failed");
4043 proto_unregister(&l2cap_proto);
4046 void l2cap_load(void)
4048 /* Dummy function to trigger automatic L2CAP module loading by
4049 * other modules that use L2CAP sockets but don't use any other
4050 * symbols from it. */
4053 EXPORT_SYMBOL(l2cap_load);
4055 module_init(l2cap_init);
4056 module_exit(l2cap_exit);
4058 module_param(enable_ertm, bool, 0644);
4059 MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4061 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4062 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4063 MODULE_VERSION(VERSION);
4064 MODULE_LICENSE("GPL");
4065 MODULE_ALIAS("bt-proto-0");